Bob Maley at Security Boulevard writes about understanding third-party cyber risk in supply chains. The National Counterintelligence and Security Center (NCSC) named April “National Supply Chain Integrity Month.” Along with its federal partners, including the Department of Homeland Security, NCSC kicked off this campaign to raise awareness about “growing threats to the supply chains of both the private sector and U.S. Government agencies,” and to provide resources to help mitigate these risks.

A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your company’s system through an outside partner or provider with access to your systems and data. A business is only as secure as the weakest link in its supply chain; that includes vendors, technology partners, contractors — any third-party that needs access to your enterprise’s systems to complete a task. A single lapse by a third party can lead to operational disruption, cyberattack, or compliance violation.

Perhaps the most high-profile third-party data breach was the Target breach in 2014. The retailer’s point-of-sale (POS) system was hacked through a compromised HVAC vendor. That should’ve been a wake-up call about the dangers of supply chain risk. Instead, the problem has grown worse since then. According to a survey conducted in the fall of 2018 by the Ponemon Institute,56 percent of organizations have experienced a breach that was caused by one of their vendors. Meanwhile, the average number of third parties with access to sensitive information at each organization has increased from 378 to 471. Making matters even more difficult, only 35 percent of companies surveyed said they had a full list of all the third parties they were sharing sensitive information with.